-
Notifications
You must be signed in to change notification settings - Fork 308
Conversation
2e783c8
to
8a795f3
Compare
I tested this with a couple of emails having plus sign and couldn't reproduce this. It's probably (selectively) happening on mandrill's end? If yes, what can we do about that? |
Either on Mandrill's end or in actual mail clients (Gmail, etc.). More research required ... |
@aandis We should just be able to base64-encode the email address for transport across the URL. Working on a commit ... |
Actually, you wanna do that? :-) |
@aandis Does it make sense what I'm suggesting? In other words, instead of sending this link in email:
We would send this:
Then we would decode on the receiving end. That should work, no? |
^ I like that idea |
Sounds good. I'll get to this tomorrow. |
ankane/mailkick#5 (comment) suggests this will work! |
There we go. :-) !m @aandis |
Out of curiosity, why do we send the email in the verification link in the first place? The |
@aandis Also an option. Whatever is lowest-hanging fruit here, I think. We've got bigger fish to fry. |
Which is to say, follow your ❤️, @aandis! :-) |
Alright. :) |
#3022 (comment) for reference |
I know it still might not make a practical difference - but removing the email seems like a step backward to me :) |
Email verification nonces aren't much of a security issue since they're not passwords (they don't log you in, they only set the verified bit on the address). Still, you don't want to use a random nonce as both an ID and a password, even when there is no real threat. @aandis "pretty much unique" isn't enough, if it's not 100% unique then you need extra code to deal with conflicts, otherwise a few unlucky users could be prevented from verifying their emails. So, encoding the address with base64 is simpler. Two more things:
|
Sorry I haven't gotten around to doing this yet. 😞 @Changaco my reason for wording it as "pretty much unique" and not "perfectly unique" was exactly that. There's a very (very) low probability that they can collide, but nonetheless, there is a chance and I had it in mind to handle the collisions if we went this route. :) |
Another thing I forgot to mention, including in the original comment that @rohitpaulk quoted, is that a DB index lookup is not guaranteed to run in constant time, so if you lookup a password (nonce or permanent, it doesn't matter) you're potentially exposed to a timing attack. In short: never lookup a password, never put a
I look forward to it. :-) |
Ready for review. :) |
self.alice.add_email("foo+bar@example.com") | ||
link = send_email.args[1] | ||
assert link.startswith('/~alice/emails/verify.html?email=foo%2Bbar%40example.com&nonce=') | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How is this still passing? 😱
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I modified the verification link to contain email64=<encoded-email>
. Here's the test
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@whit537 before merge, we should probably remove this test as well. But I still don't understand why this is passing in the first place. The link now starts with /~alice/emails/verify.html?email64=
, so the assert should fail. Something I don't know about mock
yet?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Roger.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something I don't know about
mock
yet?
Yup, you called it: link
is a mock, which thinks everything is a-okay. Guido pointed this up recently.
(Pdb) l
246 def test_emails_with_plus_are_linked_properly(self, send_email):
247 send_email.return_value = 1
248 self.alice.add_email("foo+bar@example.com")
249 link = send_email.args[1]
250 import pdb; pdb.set_trace()
251 -> assert link.startswith('/~alice/emails/verify.html?email=foo%2Bbar%40example.com&nonce=')
252
253 def test_can_dequeue_an_email(self):
254 larry = self.make_participant('larry', email_address='larry@example.com')
255 larry.queue_email("verification")
256
(Pdb) pp link
<MagicMock name=u'send_email.args.__getitem__()' id='4383627408'>
(Pdb)
return udecode(b64decode(s, '-_')) | ||
except Exception: | ||
try: | ||
# For retrocompatibility |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... with liberapay's version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This question would be obsolete with #3977.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... with liberapay's version?
No, compatibility with standard base64.
Okay! Punchlist:
|
1d7e0cd
to
b2b70c1
Compare
@aandis I'm ready to land this when you are. What's left? |
8a73270
to
770f0b2
Compare
Alright, @aandis, travis is green. We ready to merge? 😮 |
Yep! 💃 |
Let's fix #3110. I don't know yet what the issue is, but so far here's a passing test for escaping plusses in emails in the links we send out. At what point are those getting unescaped?